Moving server and change certificate from Certbot to win-acme

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: arnoldvdm.nl

I ran this command: cmd.exe and wacs.exe

It produced this output:
A simple Windows ACMEv2 client (WACS)
Software version 2.2.9.1701 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task not configured yet
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit

Please choose from the menu: m

Running in mode: Interactive, Advanced
Source plugin IIS not available: No supported version of IIS detected.

Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the "all bindings"
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.

1: Read bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort

How shall we determine the domain(s) to include in the certificate?: 2

Description: A host name to get a certificate for. This may be a
comma-separated list.

Host: arnoldvdm.nl, www.arnoldvdm.nl, ehbo.arnoldvdm.nl, arnold.arnoldvdm.nl, arnoldvdm.ddns.net

Source generated using plugin Manual: arnoldvdm.nl and 4 alternatives

Friendly name '[Manual] arnoldvdm.nl'. to accept or type desired name:

By default your source identifiers are covered by a single certificate. But
if you want to avoid the 100 domain limit, want to prevent information
disclosure via the SAN list, and/or reduce the operational impact of a single
validation failure, you may choose to convert one source into multiple
certificates, using different strategies.

1: Separate certificate for each domain (e.g. *.example.com)
2: Separate certificate for each host (e.g. sub.example.com)
3: Separate certificate for each IIS site
4: Single certificate
C: Abort

Would you like to split this source into multiple certificates?: 4

The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup and for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard identifiers the latter is the only option.
Various additional plugins are available from
GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.).

1: [http] Save verification files on (network) path
2: [http] Serve verification files from memory
3: [http] Upload verification files via FTP(S)
4: [http] Upload verification files via SSH-FTP
5: [http] Upload verification files via WebDav
6: [dns] Create verification records manually (auto-renew not possible)
7: [dns] Create verification records with acme-dns (GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.)
8: [dns] Create verification records with your own script
9: [tls-alpn] Answer TLS verification request from win-acme
C: Abort

How would you like prove ownership for the domain(s)?: 2

After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.

1: Elliptic Curve key
2: RSA key
C: Abort

What kind of private key should be used for the certificate?: 2

When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps

How would you like to store the certificate?: 2

Description: .pem files are exported to this folder.

File path: C:\certificates

Description: Password to set for the private key .pem file.

1: None
2: Type/paste in console
3: Search in vault

Choose from the menu: 1

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps

Would you like to store it in another way too?: 5

Installation plugin IIS not available: No supported version of IIS detected.

With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.

1: Create or update bindings in IIS
2: Start external script or program
3: No (additional) installation steps

Which installation step should run first?: 3

Plugin Manual generated source arnoldvdm.nl with 5 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[arnold.arnoldvdm.nl] Authorizing...
[arnold.arnoldvdm.nl] Authorizing using http-01 validation (SelfHosting)
Unable to activate listener, this may be because of insufficient rights or a non-Microsoft webserver using port 80
An error occured while commiting validation configuration: Het proces heeft geen toegang tot het bestand omdat het door een ander
proces wordt gebruikt.
An error occured during post-validation cleanup: Cannot access a disposed object.
Object name: 'System.Net.HttpListener'.
[arnold.arnoldvdm.nl] Deactivating pending authorization
[arnoldvdm.ddns.net] Deactivating pending authorization
[arnoldvdm.nl] Deactivating pending authorization
[ehbo.arnoldvdm.nl] Deactivating pending authorization
[www.arnoldvdm.nl] Deactivating pending authorization

Create certificate failed, retry? (y/n*) - yes

Plugin Manual generated source arnoldvdm.nl with 5 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[arnold.arnoldvdm.nl] Authorizing...
[arnold.arnoldvdm.nl] Authorizing using http-01 validation (SelfHosting)
[arnold.arnoldvdm.nl] Authorization result: invalid
[arnold.arnoldvdm.nl] {"type":"urn:ietf:params:acme:error:connection","detail":"IP.IP.IP.IP: Fetching http://arnold.arnoldvdm.nl/.well-known/acme-challenge/WpH4UxbvfSMHToIfy2azgexDIb4glBOul3rs7rdwmlQ: Timeout during connect (likely firewall problem)","status":400,"instance":null}
[arnold.arnoldvdm.nl] Deactivating pending authorization
[arnoldvdm.ddns.net] Deactivating pending authorization
[arnoldvdm.nl] Deactivating pending authorization
[ehbo.arnoldvdm.nl] Deactivating pending authorization
[www.arnoldvdm.nl] Deactivating pending authorization

Create certificate failed, retry? (y/n*)

My web server is (include version): Apache/2.4.58

The operating system my web server runs on is (include version): Windows 11 24H2 26120.751

My hosting provider, if applicable, is: no hosting provider - domain provider is Strato internet provider is Odido

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): latest windows version

Context information:
I have configured a working SSL version with Certbot on Windows on one machine.
Because Certbot is no longer supported on Windows machines, I have to switch to win-acme.
I have another machine running Windows so I wanted to do a fresh install on the other machine.
I need Windows because it runs other applications that only work on Windows.
So I installed Xampp on the other machine and changed the firewall to full access for Xampp and win-acme,

So I changed my internal IP to the other machine and ran the program with the above options.
It doesn't work at the same time as Xampp, so for the last option I had to stop the Apache server.

I've tried some other SSL providers like punchsalad.com, but the setup doesn't work with Xampp.
Also after changing the txt extensions to .crt and .key

So I'm stuck.

Hello @arnoldvdm, welcome to the Let's Encrypt community. :slightly_smiling_face:

It looks like there is some geo blocking or poor connectivity.

Please read these:

http://www.site24x7.com/tools/public/t/results-1717557374203.html

Edit:
And from around the world Permanent link to this check report | shows mostly "Connection timed out".

1 Like

Thanks for responding
I blocked some IP addresses on my website because they were being abused.
For example, I blocked many IP addresses from TOR networks and those that attacked my login page.
But those are blocked by PHP and not by a firewall.

2 Likes

You are trying to use win-acme self hosting, this runs it's own temporary http listener on port 80 to answer challenges. Apache is running so that stops the http listener from working because the port is already in use. You would either need to stop Apache first or possibly the "Save verification file on (network) path" option then serve the http challenge via Apache itself.

3 Likes

Thanks for all the help.
I managed to perform a DNS verification.
Everything works fine now.
I also discovered that certain servers of https://check-host.net/ are not working due to Trend-Micro security.
Intrusion Prevention System detects it as WEB TP-Link Archer AX21 Remote Command Injection (CVE-2023-1389)
There have now been a total of 529 attempts today.

1 Like